NAME

realmd.conf - Tweak behavior of realmd

CONFIGURATIONFILE

realmd can be tweaked by network administrators to act in specific ways. This is done by
placing settings in a /etc/realmd.conf. This file does not exist by default. The syntax of
this file is the same as an INI file or Desktop Entry file.
In general, settings in this file only apply at the point of joining a domain or realm.
Once the realm has been setup the settings have no effect. You may choose to configure
SSSD[1] or Winbind[2] directly.
Only specify the settings you wish to override in the /etc/realmd.conf file. Settings not
specified will be loaded from their packaged defaults. Only override the settings below.
You may find other settings if you look through the realmd source code. However these are
not guaranteed to remain stable.
There are various sections in the config file. Some sections are global topic sections,
and are listed below. Other sections are specific to a given realm. These realm specific
sections should always contain the domain name in lower case as their section header.
Examples of each setting is found below, including the header of the section it should be
placed in. However in the resulting file only include each section once, and combine the
various section setting together as lines underneath the section. For example
[users]
default-home = /home/%U
default-shell = /bin/bash

ACTIVE-DIRECTORY

These options should go in an [active-directory] section of the /etc/realmd.conf file.
Only specify the settings you wish to override.
default-client
Specify the default-client setting in order to control which client software is the
preferred default for use with Active Directory.
[active-directory]
default-client = sssd
# default-client = winbind
The default setting for this is sssd which uses SSSD[1] as the Active Directory
client. You can also specify winbind to use SambaWinbind[2].
Some callers of realmd such as the realm command line tool allow specifying which
client software should be used. Others, such as GNOME Control Center, simplify choose
the default.
You can verify the preferred default client softawre by running the following command.
The realm with the preferred client software will be listed first.
$ realmdiscoverdomain.example.com
domain.example.com
configured: no
server-software: active-directory
client-software: sssd
type: kerberos
realm-name: AD.THEWALTER.LAN
domain-name: ad.thewalter.lan
domain.example.com
configured: no
server-software: active-directory
client-software: winbind
type: kerberos
realm-name: AD.THEWALTER.LAN
domain-name: ad.thewalter.lan
os-name
(see below)
os-version
Specify the os-name and/or os-version settings to control the values that are placed
in the computer account operatingSystem and operatingSystemVersion attributes.
This is an Active Directory specific option.
[active-directory]
os-name = Gentoo Linux
os-version = 9.9.9.9.9

SERVICE

These options should go in an [service] section of the /etc/realmd.conf file. Only specify
the settings you wish to override.
automatic-install
Set this to no to disable automatic installation of packages via package-kit.
[service]
automatic-install = no
# automatic-install = yes

USERS

These options should go in an [users] section of the /etc/realmd.conf file. Only specify
the settings you wish to override.
default-home
Specify the default-home setting in order to control how to set the home directory for
accounts that have no home directory explicitly set.
[users]
default-home = /home/%D/%U
# default-home = /nfs/home/%D-%U
The default setting for this is /home/%D/%U. The %D format is replaced by the domain
name. The %U format is replaced by the user name.
You can verify the home directory for a user by running the following command.
$ getentpasswd'DOMAIN/User'
DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
Note that in the case of IPA domains, most users already have a home directory
configured in the domain. Therefore this configuration setting may rarely show
through.
default-shell
Specify the default-shell setting in order to control how to set the Unix shell for
accounts that have no shell explicitly set.
[users]
default-shell = /bin/bash
# default-shell = /bin/sh
The default setting for this is /bin/bash shell. The shell should be a valid shell if
you expect the domain users be able to log in. For example it should exist in the
/etc/shells file.
You can verify the shell for a user by running the following command.
$ getentpasswd'DOMAIN/User'
DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
Note that in the case of IPA domains, most users already have a shell configured in
the domain. Therefore this configuration setting may rarely show through.

REALMSPECIFICSETTINGS

These options should go in an section with the same name as the realm in the
/etc/realmd.conf file. For example for the domain.example.com domain the section would be
called [domain.example.com]. To figure out the canonical name for a realm use the realm
command:
$ realmdiscover--nameDOMAIN.example.com
domain.example.com
...
Only specify the settings you wish to override.
computer-ou
Specify this option to create directory computer accounts in a location other than the
default. This currently only works with Active Directory domains.
[domain.example.com]
computer-ou = OU=Linux Computers,DC=domain,DC=example,DC=com
# computer-ou = OU=Linux Computers,
Specify the OU as an LDAP DN. It can be relative to the Root DSE, or a complete LDAP
DN. Obviously the OU must exist in the directory.
It is also possible to use the --computer-ou argument of the realm command to create a
computer account at a specific OU.
user-prinicpal
Set the user-prinicpal to yes to create userPrincipalName attributes for the computer
account in the realm, in the form host/computer@REALM
[domain.example.com]
user-principal = yes
automatic-id-mapping
This option is on by default for Active Directory realms. Turn it off to use UID and
GID information stored in the directory (as-per RFC2307) rather than automatically
generating UID and GID numbers.
This option only makes sense for Active Directory realms.
[domain.example.com]
automatic-id-mapping = no
# automatic-id-mapping = yes
manage-system
This option is on by default. Normally joining a realm affects many aspects of the
configuration and management of the system. Turning this off limits the interaction
with the realm or domain to authentication and identity.
[domain.example.com]
manage-system = no
# manage-system = yes
When this option is turned on realmd defaults to using domain policy to control who
can log into this machine. Further adjustments to login policy can be made with the
realmpermit command.
fully-qualified-names
This option is on by default. If turned off then realm user and group names are not
qualified their name. This may cause them to conflict with local user and group names.
[domain.example.com]
fully-qualified-names = no
# fully-qualified-names = yes